Introduction

to
Computer
Security
Class General Rules
• Food and Drink during lecture
• Attendance
• Mobile Phone
• Are you late?
• Means of Communications:
• Whatsapp
• Microsoft Teams
• Class Disturbance

2
Asking questions during class
• All questions are considered

3
Text Book
• “Computer Security: Principles and Practice,” Stallings and
Brown, 3rd or 4th Edition

4
Grade Percentage

• Final Exam: 50%

• Midterm Exam: 25%
• Quizzes: 10%
• HWs: 5%
• Project: 10%
• Subject to change

5
Topics
• M01: Introduction to Information Security
• M02: Introduction to Cryptography
• M03: User Authentication, Access Control, and Operating Systems
• M04: Malicious Software and Denial of Service Attacks
• M05: Intrusion Detection System
• M06: Firewalls
• M07: Internet Protocols and Standards

6
Topics
• M01: Introduction to Information Security
• M02: Introduction to Cryptography
• M03: User Authentication, Access Control, and Operating Systems
• M04: Malicious Software and Denial of Service Attacks
• M05: Intrusion Detection System
• M06: Firewalls
• M07: Wireless, IoT, and Cloud Security
• M08: Internet Protocols and Standards
• M09: Security Auditing, Legal and Ethical Aspects

7
Introduction to Information Security

CIA Triad Protecting Assets Security Concepts

Attacks Counter Measures Security Aspects

(Active & Passive)
 The NIST Internal/Interagency Report NISTIR
7298 defines the term computer security
as follows:

Measures and controls that ensure confidentiality, integrity, and

availability of information system assets including hardware,
software, firmware, and information being processed, stored, and
communicated
Key Security Objectives
• Confidentiality
o Data confidentiality: assure confidential information not made available to unauthorized
individuals
o Privacy: assure individuals can control what information related to them is collected,
stored, distributed

• Integrity
o Data integrity: assure information and programs are changed only in an authorized
manner
o System integrity: assure system performs intended function

• Availability
o Assure that systems work promptly and service is not denied to authorized users
CIA Triad
Key Security Concepts

Confidentiality Integrity Availability

• Preserving
• Guarding against • Ensuring timely
authorized
improper and reliable access
restrictions on
information to and use of
information access
modification or information
and disclosure,
destruction,
including means
including ensuring
for protecting
information
personal privacy
nonrepudiation
and proprietary
and authenticity
information
1. Computer security is not as simple as it might first appear to the novice

2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those
security features

3. Procedures used to provide particular services are often counterintuitive

4. Physical and logical placement of security mechanisms needs to be determined

5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that participants be in
possession of some secret information which raises questions about the creation, distribution, and protection of that secret
information
6. Attackers only need to find a single weakness, while the designer must find and eliminate all weaknesses to
achieve perfect security

7. Security is still too often an afterthought to be incorporated into a system after the design is complete, rather than
being an integral part of the design process

8. Security requires regular and constant monitoring

9. There is a natural tendency on the part of users and system managers to perceive little benefit from security
investment until a security failure occurs

10. Many users and even security administrators view strong security as an obstacle to efficient and user-friendly
operation of an information system or use of information
 Computer Security Concepts
• Assets

• Security Policies

• Vulnerabilities

• Threats

• Attacks

• Countermeasure
Assets of a Computer System
(things that we want to protect)

Hardware (computer)

Software (web server)

Data (files/databases/passwords)

Communication facilities/links and

networks (link between computers)
 Table 1.3
Computer and Network Assets, with Examples of Threats
Vulnerabilities, Threats and Attacks
• Security Policy
• Set of rules and practices that specifies how a certain
organization/company provides security services to protect assets

• Example in the university there is a policy for who can access student’s data
(Confidentiality).

• Can I access your grades in another course?

• The organization must implement certain techniques to implement those policies

Vulnerabilities, Threats and Attacks

• Categories of vulnerabilities
• Corrupted (loss of integrity – ex: asset doesn’t do its function)

• Leaky (loss of confidentiality – ex: asset may leak out information)

• Unavailable or very slow (loss of availability - ex: users can’t access the asset)

• Note that it is complex to write a software without a bug

• it is complex to build a hardware without flaws,
• and it is complex to keep track of data

There are often vulnerabilities… try to avoid them

Vulnerabilities, Threats and Attacks
• Threats

• Potential violation of security policy by exploiting a vulnerability

• Represent potential security harm to an asset

• If we have a policy that a student can’t access the grades of

another student. Threat is if something allow a student to
potential access another student’s grades.
Vulnerabilities, Threats and Attacks
• Attacks

• A threat that is carried out; a successful attack leads to violation of

security policy

• Passive – attempt to learn or make use of information from the

system that does not affect system resources

• Active – attempt to alter system resources or affect their operation

• Insider – initiated by an entity inside the security parameter

• Outsider – initiated from outside the perimeter

Countermeasures
Means used to
A way to deal with an attack deal with
Detect, respond, prevent, recover security attacks
• Prevent
• Detect
• Recover
Aim to minimize the risks

Residual
vulnerabilities
may remain

Goal is to
May itself
minimize
introduce new
residual level of
vulnerabilities
risk to the assets
Threat Consequences and Attacks

• Threat Action: an attack

• Threat Agent: Entity that attacks, or is threat to system (hacker, attacker

(don’t have to be bad - law enforcement), malicious user)

• Threat Consequence: A security violation that results from threat

action
 Types of Attacks

Passive attacks

Active attacks
Passive and Active Attacks

Passive Attack Active Attack

• Attempts to learn or make use of • Attempts to alter system

information from the system but does resources or affect their
not affect system resources operation

• Eavesdropping on, or monitoring of,

transmissions • Involve some modification of the
data stream or the creation of a
• Goal of attacker is to obtain false stream
information that is being transmitted

• Two types: • Four categories:

• Replay
• Release of message contents • Masquerade
• Traffic analysis • Modification of messages
• Denial of service
Release Message Contents
Traffic Analysis
Masquerade Attack
Replay Attack
Modification Attack
Denial of Service Attack
 Types of Attacks

Passive attacks: are in the nature of eavesdropping on, or monitoring of, transmissions. The goal
of the attacker is to obtain information that is being transmitted.
Two types of passive attacks are:
a) release of message contents
b) traffic analysis.

Active attacks: involve some modification of the data stream or the creation of a false stream.
Fours types of active attacks are:
a) Replay attack
b) Masquerade attack
c) Modification of messages attack
d) Denial of service.
 Aspects of Security

• Security Attack: Any action that attempts to compromise the security of information or facilities

• Security Mechanism: A method for preventing, detecting or recovering from an attack (example:
encryption)

• Security Service: is provided by a protocol layer of communicating systems that ensures adequate security of
the systems or of data transfers. It is implemented by security mechanisms
Security Mechanisms
• Specific security mechanisms from ITU-U X.800 (cryptographic
techniques)

1. Encryption/Decryption
2. Digital Signature
3. Access Control
4. Data Integrity
5. Authentication Exchange
6. Traffic Padding (hide traffic pattern)
Security Services
1. Authentication Assure that the communicating entity is the one that it
claims to be. (Peer entity and data origin authentication)

2. Access Control Prevent unauthorized use of a resource (ex using firewall

to stop all students from accessing FB)

3. Data Confidentiality Protect data from unauthorized disclosure

4. Data Integrity Assure data received are exactly as sent by authorized entity

5. Non-repudiation Protect against denial of one entity involved in

communications of having participated in communications

6. Availability System is accessible and usable on demand by authorized users

according to intended goal
Security Architecture

• IDS: Intrusion Detection Systems

• IPS: Intrusion Prevention Systems
Knowledge Areas in Information Security

Cyber Cyber Digital Cyber Secure Cyber Policy

Defense Operations Forensics Physical Software and Law
Systems Develop.
Cryptography Cyber Attack HW and SW IoT Secure Laws,
System Regulations,
Computer Penetration Incident SCADA Design and Acts
Security Testing Response Systems
Secure Coding Governmental
Data Security Cyber Cybercrime Industrial Polices and
Intelligence Control Secure Practices
Network Cyber Law Systems Deployment
Security Reverse Enforcement
Engineering Maintainabilit
Information y
Assurance
 Standards
• Standards have been developed to cover management practices and the overall architecture of
security mechanisms and services
• The most important of these organizations are:

• National Institute of Standards and Technology (NIST)

• NIST is a U.S. federal agency that deals with measurement science, standards, and technology related
to U.S. government use and to the promotion of U.S. private sector innovation

• Internet Society (ISOC)

• ISOC is a professional membership society that provides leadership in addressing issues that confront
the future of the Internet, and is the organization home for the groups responsible for Internet
infrastructure standards

• International Telecommunication Union (ITU-T)

• ITU is a United Nations agency in which governments and the private sector coordinate global
telecom networks and services

• International Organization for Standardization (ISO)

• ISO is a nongovernmental organization whose work results in international agreements that are
published as International Standards
Areas To Explore
 Standards and procedures for computer security
• ISO/ITU, NIST FIPS, IETF, IEEE,…

 Monitoring and trends in threats and attacks

• US-CERT: https://www.us-cert.gov/ncas/alerts
• CVE: Common Vulnerabilities and Exposures (CVE)
• NVD: NATIONAL VULNERABILITY DATABASE (NIST)

 Certification and professional associations

• SANS, CISSP, CCSP, GIAC, CompTIA, . . .